Control of access to files

ABSTRACT

A method, system and program product for using access-control lists to control access to categorized computer files. Two or more computer files are each associated with one of a set of possible classifications that fall within a single category and an access-control list associates a user with a subset of these classifications. In response to the user&#39;s request for access to one of these files, where the request specifies the requested file but does not specify the category of the requested file, the processor identifies the requested file&#39;s category based on that file&#39;s associated classifications, checks the access-control list to determine that the user is authorized to access files of the identified category, and then grants the requesting user access to the requested file.

TECHNICAL FIELD

The present invention relates generally to computer systems, and morespecifically to control of access to categorize files.

BACKGROUND

An access-control list (“ACL”) is a well known security mechanism thatcomprises a list that can be used to limit access to data files andprogram files to one or more people listed in the ACL. For example, auser “John Smith” or a named program may be listed in an ACL, along witha named data file or a named program file, as being authorized to accessthe named data file or the named program file. If John Smith or thenamed program requests access to the file, the operating system checksthe ACL to determine if John Smith or the named program is authorized toaccess the file.

While this type of ACL is secure, it must be updated every time a fileis added to the system in order to add an entry in the ACL for the newfile and to indicate which entities are authorized to access the newfile.

BRIEF SUMMARY

Embodiments of the present invention comprise a method, system andprogram product for using access-control lists to control access tocomputer files. These embodiments receive and store classifications oftwo or more computer files, where those classifications fall within asingle category. This category may, for example, identify products orproduct lines, geographic locations, customer account identifiers,network types, server platform types, or server operating statuses thatmay be associated with an access-controlled file.

This method, system, and program product further comprise receiving aconfiguration of an access-control list that grants one or more usersaccess to the files based on the single category. In response to arequesting user's request for access to one of these files, where therequest specifies the requested file but not the category of therequested file, one or more processors identify the requested file'scategory based on that file's stored classification, check theaccess-control list to determine that the user is authorized to accessfiles of the identified category, and then grant the requesting useraccess to the requested file.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a computer system according to anembodiment of the present invention.

FIG. 2 illustrates the internal structures of stored data items shown inFIG. 1 according to an embodiment of the present invention.

FIG. 3 is a flow chart that illustrates steps of access-controlapplication 107 performed upon data items 117 and 119 of FIGS. 1 and 2,in accordance with embodiments of the present invention.

FIG. 4 illustrates the internal structure of data items that comprise asecurity architecture that conforms to an embodiment of the presentinvention.

DETAILED DESCRIPTION

The present invention provides a method, computer system, and computerprogram product that implement a categorized ACL that secures data filesand program files within a secured computer system.

An ACL may be used to secure a system that may comprise, but is notlimited to, a computer system, all or part of a computer network, orother type of computing environment. An ACL may be one component of asecurity architecture that comprises other security mechanisms andrules.

In embodiments of the present invention, an ACL may be used inconjunction with a method of categorizing secured data files and securedprogram files. In such embodiments, the ACL may be configured todetermine whether to grant a user access to a secured data file or asecured program file as a function of which categories are associatedwith the secure file.

In some embodiments, security procedures, data, and logic, includingaccess-control lists and associated categories, may be organized into asecurity architecture stored in an information repository. Such aninformation repository may refer here to any collection of storedinformation and may be implemented as a set of databases, file systems,tables, data warehouses, or other data-storage platforms, usingtechnologies well-known to those skilled in the art of computer-systemdesign. Such implementations may take a wide variety of forms and, insome cases, stored categories may be further divided into subcategories.

In one example of how embodiments of the present invention might use anACL-based authorization mechanism, a company might sell a set ofproducts that are divided into “Product Line” categories. In such anembodiment, a secured computer system might store a set of secured datafiles, where each data file is related to one product of the set ofproducts, and where each data file is assigned a Product Line categorythat is associated with a product related to that data file.

An embodiment of the present invention in this case might comprise anACL that lists users and the categories of documents that each user isauthorized to access. If a user requests access to a document, thesecurity system will identify the category of the document, use the ACLto determine if the user is authorized to access documents in thatcategory, and, depending on whether it determines that the user is soauthorized, either grant or deny the user access to the requesteddocument. Similar embodiments may be used to grant or deny users accessto files based on categories that comprise, but are not limited to,geographic locations, customer-account identifiers, network types,server-platform types, and the operating status of a server.

FIG. 1 is a block diagram of a computer system according to anembodiment of the present invention. FIG. 1 refers to objects 101-119.

Aspects of the present invention may take the form of an entirelyhardware embodiment, an entirely software embodiment (includingfirmware, resident software, micro-code, etc.) or an embodimentcombining software and hardware aspects that may all generally bereferred to herein as a “circuit,” “module,” or “system.” Furthermore,in one embodiment, the present invention may take the form of a computerprogram product comprising one or more physically tangible (e.g.,hardware) computer-readable medium(s) or devices havingcomputer-readable program code stored therein, this program codeconfigured to be executed by a processor of a computer system toimplement the methods of the present invention. In embodiments of thepresent invention wherein physically tangible computer-readablemedium(s) and/or device(s) (e.g., hardware media and/or devices) storethe program code that implements methods of the present invention, thisprogram code does not comprise a signal generally, or a transitorysignal in particular.

Any combination of one or more computer-readable storage medium(s) ordevices may be used. The computer-readable storage medium may be, forexample, but is not limited to, an electronic, magnetic, optical,electromagnetic, infrared, or semiconductor system, apparatus, ordevice, or any suitable combination of the foregoing. More specificexamples (a non-exhaustive list) of the computer-readable storage mediumor device may include the following: a portable computer diskette, ahard disk, a random access memory (RAM), a read-only memory (ROM), anerasable programmable read-only memory (EPROM or flash memory), aportable optical disc read-only memory (such as a CD-ROM or BD-ROM), another optical storage device, a magnetic storage device, or any suitablecombination of the foregoing. In the context of this document, acomputer-readable storage medium may be any physically tangible mediumor hardware device that can store a program for use by or in connectionwith an instruction execution system, apparatus, or device.

Program code embodied on a computer-readable medium may be transmittedusing any appropriate medium, including but not limited to wirelesscommunications media, optical fiber cable, electrically conductivecable, radio-frequency or infrared electromagnetic transmission, etc.,or any suitable combination of the foregoing.

Computer program code for carrying out operations for aspects of thepresent invention may be written in any combination of one or moreprogramming languages, including, but not limited to programminglanguages like Java, Smalltalk, and C++, and one or more scriptinglanguages, including, but not limited to, scripting languages likeJavaScript, Perl, and PHP. The program code may execute entirely on theuser's computer, partly on the user's computer, as a stand-alonesoftware package, partly on the user's computer and partly on a remotecomputer, or entirely on the remote computer or server. In the latterscenario, the remote computer may be connected to the user's computerthrough any type of network, including a local area network (LAN), awide area network (WAN), an intranet, an extranet, or an enterprisenetwork that may comprise combinations of LANs, WANs, intranets, andextranets, or the connection may be made to an external computer (forexample, through the Internet using an Internet Service Provider).

Aspects of the present invention are described above and below withreference to flowchart illustrations and/or block diagrams of methods,apparatus (systems) and computer program products according toembodiments of the present invention. It will be understood that eachblock of the flowchart illustrations, block diagrams, and combinationsof blocks in the flowchart illustrations and/or block diagrams of FIGS.1-4 can be implemented by computer program instructions. These computerprogram instructions may be provided to a processor of a general purposecomputer, special purpose computer, or other programmabledata-processing apparatus to produce a machine, such that theinstructions, which execute via the processor of the computer or otherprogrammable data-processing apparatus, create means for implementingthe functions/acts specified in the flowchart and/or block diagram blockor blocks.

These computer program instructions may also be stored in acomputer-readable medium that can direct a computer, other programmabledata-processing apparatus, or other devices to function in a particularmanner, such that the instructions stored in the computer-readablemedium produce an article of manufacture, including instructions thatimplement the function/act specified in the flowchart and/or blockdiagram block or blocks.

The computer program instructions may also be loaded onto a computer,other programmable data-processing apparatus, or other devices to causea series of operational steps to be performed on the computer, otherprogrammable apparatus, or other devices to produce acomputer-implemented process such that the instructions that execute onthe computer or other programmable apparatus provide processes forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks.

The flowchart illustrations and/or block diagrams FIGS. 1-4 illustratethe architecture, functionality, and operation of possibleimplementations of systems, methods and computer program productsaccording to various embodiments of the present invention. In thisregard, each block in the flowchart or block diagrams may represent amodule, segment, or portion of code, wherein the module, segment, orportion of code comprises one or more executable instructions forimplementing one or more specified logical function(s). It should alsobe noted that, in some alternative implementations, the functions notedin the block may occur out of the order noted in the figures. Forexample, two blocks shown in succession may, in fact, be executedsubstantially concurrently, or the blocks may sometimes be executed inthe reverse order, depending upon the functionality involved. It willalso be noted that each block of the block diagrams and/or flowchartillustrations, and combinations of blocks in the block diagrams and/orflowchart illustrations, can be implemented by special-purposehardware-based systems that perform the specified functions or acts, orcombinations of special-purpose hardware and computer instructions.

In FIG. 1, computer system 101 comprises a processor 103 coupled throughone or more I/O Interfaces 109 to one or more hardware data storagedevices 111 and one or more I/O devices 113 and 115.

Hardware data storage devices 111 may include, but are not limited to,magnetic tape drives, fixed or removable hard disks, optical discs,storage-equipped mobile devices, and solid-state random-access orread-only storage devices. I/O devices may comprise, but are not limitedto: input devices 113, such as keyboards, scanners, handheldtelecommunications devices, touch-sensitive displays, tablets, biometricreaders, joysticks, trackballs, or computer mice; and output devices115, which may comprise, but are not limited to printers, plotters,tablets, mobile telephones, displays, or sound-producing devices. Datastorage devices 111, input devices 113, and output devices 115 may belocated either locally or at remote sites from which they are connectedto I/O Interface 109 through a network interface.

Processor 103 may also be connected to one or more memory devices 105,which may include, but are not limited to, Dynamic RAM (DRAM), StaticRAM (SRAM), Programmable Read-Only Memory (PROM), Field-ProgrammableGate Arrays (FPGA), Secure Digital memory cards, SIM cards, or othertypes of memory devices.

At least one memory device 105 contains stored computer program code107, which is a computer program that comprises computer-executableinstructions that. Here, the stored computer program code comprises asecurity software application that implements a method for controllingaccess to files in accordance with embodiments of the present invention,and may implement other embodiments described in this specification,including the methods illustrated in FIGS. 1-4. The data storage devices111 may store the stored computer code that comprises the securityapplication 107 and may further store other components of embodiments ofthe present invention, such as access-control lists 117, lists of fileclassifications 119, or other components of a security architecture.

In some embodiments, data storage devices 111 may comprise aninformation repository that store other components of embodiments of thepresent invention, such as access-control lists 117, lists of fileclassifications 119, or other components of a security architecture.Computer program code 107 stored in the data storage devices 111 isconfigured to be executed by processor 103 via the memory devices 105.Processor 103 executes the stored computer program code 107.

Thus the present invention discloses a process for supporting computerinfrastructure, integrating, hosting, maintaining, and deployingcomputer-readable code into the computer system 101, wherein the code incombination with the computer system 101 is capable of performing amethod for controlling access to computer files using an access-controllist.

Any of the components of the present invention could be created,integrated, hosted, maintained, deployed, managed, serviced, supported,etc. by a service provider who offers to facilitate a method forcontrolling access to computer files using an access-control list. Thusthe present invention discloses a process for deploying or integratingcomputing infrastructure, comprising integrating computer-readable codeinto the computer system 101, wherein the code in combination with thecomputer system 101 is capable of performing a method for controllingaccess to computer files using an access-control list.

One or more data storage units 111 (or one or more additional memorydevices not shown in FIG. 1) may be used as a computer-readable hardwarestorage device having a computer-readable program embodied thereinand/or having other data stored therein, wherein the computer-readableprogram comprises stored computer program code 107. Generally, acomputer program product (or, alternatively, an article of manufacture)of computer system 101 may comprise the computer-readable hardwarestorage device.

FIG. 2 illustrates the internal structures of stored data items shown inFIG. 1 according to an embodiment of the present invention. FIG. 2comprises reference numerals 111, 117, and 119, which are also shown inFIG. 1.

Reference numeral 111 shows one of the data storage devices identifiedby the reference number 111 in FIG. 1 and described in the text thataccompanies FIG. 1. Storage device 111 may store one or moreaccess-control lists 117 and one or more lists of file classifications119.

Reference numeral 117 identifies an access-control list that correspondsto the ACL 117 in FIG. 1 and which is described in the text thataccompanies FIG. 1. Some embodiments of the present invention maycomprise multiple access-control lists.

In FIG. 2, access-control list 117 comprises a list of user identifiersor credentials and a set of classifications associated with each useridentified by an entry in the list. In this example, each classificationrepresents an instance of a geographic location “GeoID” category. Inother examples, classifications may represent instances of a differentcategory, such as, but not limited to: product-line identifier,customer-account identifier, network type, server-platform type, orserver operating status.

In the example of FIG. 2, each user enumerated in access-control list117 is authorized to access files that are classified by a geographiclocation associated with the user in ACL 117. For example, the firstentry of access-control list 117 associates user credentialsjohn.smith@hq_US.com with “NA” (North America), “SA” (South America),and “PR” (Pacific Rim) classification instances of category GeoID. Here,that entry designates that the user identified as “john.smith@hq_US.com”may access files classified by classification “NA,” “SA,” or “PR.”

Reference numeral 119 identifies a file-classification list thatenumerates a set of files and stores one or more classificationsassociated with each file in the set. In this example, allclassifications comprised by the file-classification list belong to theGeoID category. The first entry, for example, designates that fileS3000137a.doc is classified by geographic location “NA.” Just as it ispossible for a user listed in access-control list 117 to be authorizedto access more than one classification of files, it is possible for afile in list 119 to be classified by more than one classification of acategory.

FIG. 3 is a flow chart that illustrates steps of access-controlapplication 107 performed upon data items 117 and 119 of FIGS. 1 and 2,in accordance with embodiments of the present invention. FIG. 3comprises steps 301-313.

In step 301, a processor receives classifications of a set of two ormore files, where each classification comprises at least one instance ofa category, and stores the classifications of the set of files in afile-classification list 119. In FIG. 2, for example,file-classification list 119 lists a file S3000137E.pdf that isclassified by two instances “NA” and “EU” of category GeoID.

Here, all classifications stored in file-classification list 119 areinstances of the same category. In some embodiments, a processor mayclassify multiple sets of files in this way, wherein eachfile-classification list comprises classifications of a single category,but where two file-classification lists do not necessarily compriseclassifications of the same category.

In step 303, the processor receives a configuration of an access-controllist (ACL) 117, wherein the ACL 117 lists a set of user identifiers andassociates one or more classifications of a category to each identifieduser in the list. In the example of FIGS. 2 and 3, the user identifiedby “maria.vasquez@hq_VZ.com” is associated in ACL 117 with an “SA”(“South America”) instance of category GeoID. In embodiments, thisassociation would imply that the user identified by“maria.vasquez@hq_VZ.com” has authority to access documents classifiedby the “SA” instance of category GeoID. In FIG. 2, that authorizationwould grant this user access to file“S3000137x_fin_rev_(—)0002.01.docx,” which is classified with aninstance “SA” of category GeoID in file-classification list 119.

In step 305, processor receives a request to grant a user access to oneor more of the files listed in file-classification list 119. Thisrequest may come in any of a variety of forms, depending onimplementation details, such as an attempt to display secured media on amobile device, a database query made from a personal computer, or ahyperlink click by a user of an Internet browser. In all cases, therequest identifies at least a requesting user and a requested file, butdoes not specify an associated category, wherein instances of thatassociated category may have classified the requested file.

In an example based on FIG. 2, a request that specifies a useridentified by “john.smith@hq_US.com” and file S3000137a.doc may implythat the user identified by “john.smith@hq_US.com” has requested accessto file S3000137a.doc. In some embodiments, this access may compriseauthorization to read, write, delete, display, move, copy, or reformatthe requested file, or may comprise a combination of secured behaviors.

In some embodiments, as described in FIG. 4, step 305 may compriseadditional authentication and authorization steps.

Step 307 identifies the associated category based on a classificationassociated with the requested file in file-classification list 119. Inthe previous example based on FIG. 2, wherein a user request specifiedfile S3000137a.doc, a lookup into file-classification list 119 wouldshow that file S3000137a.doc is associated in that list 119 with aninstance of category GeoID. In other embodiments, this identificationfunction may comprise additional or different procedures.

Step 309 determines whether ACL 117 authorizes the requesting user toaccess the requested file. In the ongoing example based on FIG. 2, thisdetermination would be made by comparing instances of GeoID in ACL 117associated with requesting user “john.smith@hq_US.com” to instances ofGeoID in file-classification list 119 associated with requested fileS3000137a.doc.

Step 311 decides whether to grant the requesting user access to therequested file, based on the determination of step 309. If step 309 haddetermined that ACL 117 authorizes the requesting user to access therequested file, then the method of FIG. 3 continues with step 313. Ifstep 309 had determined that ACL 117 does not authorize the requestinguser to access the requested file, then the method of FIG. 3 terminateswithout granting such authorization.

In the ongoing example based on FIG. 2, the requesting user, identifiedby user identifier “john.smith@hq_US.com,” is associated withGeoID-category classifications “NA,” “SA,” and “PR,” thus giving therequesting user access to files that are associated infile-classification table 119 with any of those three classifications.In other embodiments, this determining procedure may comprise additionalor different steps, and the types of access authorized by these stepsmay be more complex. Here, because file S3000137a.doc is associated withclassification “NA,” which is one of the three classificationsassociated with the user identified as “john.smith@hq_US.com,” step 311decides to grant the requesting user access to the requesting file viastep 313.

In a counterexample based on FIG. 2, a second user request might specifya requesting user identified by identifier “maria.vasquez@hq_VZ.com,”who is associated in ACL 117 with GeoID-category classification “SA,”and might further specify requested file “S3000137a.doc,” which isassociated in file-classification list 119 with GeoID-categoryclassification “NA.,” In this counterexample, step 309 would havedetermined that the ACL 117 does not authorize requesting user to accessthe requested file, and step 311 would decide that step 313 should notbe performed.

In other embodiments, the determination procedure of step 309 maycomprise additional functions or functions different than a simpledirect comparison of classifications stored in an ACL to classificationsstored in a file-classification list.

In the ongoing example, step 313 grants the requesting user access tothe requested file because step 309 had determined that ACL 117authorizes the requesting user to access the requested file, as afunction of the GeoID-category classifications associated with therequesting user's identifier in ACL 117 and as a further function of theGeoID-category classifications associated with the requested file infile-classification list 119. If step 309 had determined that ACL 117does not authorize the requesting user to access the file requested,step 313 would not have been performed.

FIG. 4 illustrates the internal structure of data items that comprise asecurity architecture that conforms to an embodiment of the presentinvention. FIG. 4 comprises items 117, 401, and 403.

FIG. 4 presents one example of how embodiments of the present inventionmay comprise security architectures that might enhance the ACL-basedmethod of FIGS. 2-3 with additional components, steps, logic, or storeddata. These embodiments may comprise multiple access-control lists andmultiple categories.

In this example, reference number 401 refers to an access-control list“TRANSACTIONS,” which stores a plurality of sets of transaction data,and where each set of transaction data is associated with an instance ofa transaction-identifier category “TicketID.”

Each transaction in ACL TRANSACTIONS 401 may be further associated witha numerically coded instance of a geographic location category “GeoID”and with up to three authorization levels, where the instances of thethree authorization levels are respectively stored as instances ofvariables “AuthL1,” “AuthL2,” and “AuthL3.” In this example, an instanceof GeoID and an instance of each of the three authorization levels maybe stored in the TRANSACTIONS 401 ACL in a manner that associates thesefour data items with an instance of TicketID category. In some cases, aninstance of the TicketID category may be associated with a subset ofthese four instances, or may be associated with a subset of the fourinstances through a different logical relation.

In FIG. 4, for example, the first data row of ACL TRANSACTIONS 401comprises transaction data that associates a transaction-identifier“TK121004” with a geographic location “1,” a first authorization levelof “34,” a second authorization level of “55,” and a third authorizationlevel of “6.”

Reference number 403 identifies a second access-control list“LOCATIONS,” which stores information associated with instances of thecategory “GeoID.”

In this example, GeoID identifies a geographic location that isassociated with a four-tier hierarchy of progressively narrowersublocations, and where each sublocation is identified by a subcategorydata item stored in table LOCATIONS 403.

This hierarchy comprises:

-   -   GeoID>Region>Country>StPr>City,

where an instance of geographic location category GeoID is associatedwith a global region identified by an instance of data item “Region,” acountry identified by an instance of data item “Country,” a state,province, or national region identified by an instance of data item“StPr,” and a city identified by an instance of data item “City.”

In the example of FIG. 4, the first row of access-control list LOCATIONS403 associates a GeoID instance of “1” with a global region “NA” (“NorthAmerica”), a country “US,” a state/province/national region “NYS” (“NewYork State:), and a city “NYC” (“New York City”).

Reference number 117 identifies a third access-control list “USERS,”which classifies UserID user identifiers with instances of category“GeoID.”

In the example of FIG. 4, ACLs LOCATIONS 403 and USERS 117 are logicallyrelated by the category GeoID, which is both a category in ACL LOCATIONS403 and associated with instances of variable UserID in table USERS 117.

An instance of UserID in table USERS 117 identifies a set of usercredentials that identify an individual user or user group, where thatset of user credentials is associated with an instance of geographiclocation GeoID.

The first data row of ACL USERS 117 in FIG. 4, for example, comprises aninstance of UserID that identifies user credentials “J.Smith01@hq01.com”and associates those credentials with a geographic location identifiedby an instance of category GeoID that has a value of “1.” Here, a GeoIDvalue of 1 corresponds to the first set of entries of table LOCATIONS403, which associates a GeoID value of “1” with the hierarchy“NA>US>NYS>NYC.” In effect, ACL LOCATIONS 403 is one component of asecurity architecture that comprises a structured category GeoID,wherein this structured category comprises a set of subcategories, andwherein each set of instances of this set of subcategories is organizedinto a data structure.

Embodiments of the present invention may use a variety of procedures toimplement security architectures based on multiple access-control listsand may store one or more of these access-control lists in any type ofinformation repository known to those skilled in the art of softwaredesign. Such information repositories may include, but are not limitedto, one or more relational databases, a Hadoop distributed file system,Extensible Markup Language (“XML”) code, Java code, Visual Basic code,or combinations thereof.

In some embodiments, the data structure of FIG. 4 may be extended tocomprise an arbitrary number of access-control lists, and thoseaccess-control lists may be linked by one or more common categories orsubcategories in complex ways. In some embodiments, an access-controllist may combines instances of more than one type of category, and maycombine instances of structured categories that each comprisesubcategories, as illustrated in ACL LOCATIONS 403.

In some embodiments, such a security architecture may comprise amulti-step security procedure that employs multiple categorized ACLs toprovide additional levels of security. Such a multi-step method might,for example, comprise the steps of: retrieving and authenticating a setof user credentials associated with a requesting user by locating andretrieving those credentials from a first ACL and then using thoseauthenticated user credentials to retrieve an authorization code storedin a second ACL, wherein one or both retrievals may be functions of acategory of a requested file; and then using that authorization code toretrieve a final access-control list that determines whether therequesting user is authorized to retrieve files classified by thecategory of the requested file.

Other embodiments might comprise, but are not limited to, methodswherein a category or a subset of a category's set of subcategories, arerelated in ways that allow a plurality of access-control lists to belinked together to provide multilevel security authentication,authorization, and access-control procedures, or to provide redundantsecurity authentication, authorization, and access-control procedures,or to allow steps that relate subcategories of different variables inorder to control access to files. In other embodiments, such steps andprocedures may be combined to control access to files that areassociated with classifications from different or multiple categories.

Although these examples may span a broad range of implementations, allthese embodiments, and other embodiments of the present invention notexpressly described herein, comprise methods to control access tocomputer files that are based on the use of an access-control list inconjunction with the classification of those files within a category.

While embodiments of the present invention have been described hereinfor purposes of illustration, many modifications and changes will becomeapparent to those skilled in the art. Steps of the methods describedherein may be performed in different order or may vary in minor ways.Accordingly, the appended claims are intended to encompass all suchmodifications and changes as fall within the true spirit and scope ofthis invention.

What is claimed is:
 1. A method for controlling access to files, themethod comprising the steps of: receiving classifications of two or morefiles into a same category and storing the classifications of the two ormore files, wherein the category comprises one of: product-lineidentifier, geographic location, customer-account identifier, networktype, server-platform type, and server operating status; receiving aconfiguration of an access-control list to grant access to one or moreusers to the two or more files based on the category; in response to arequest for access by a user for one file of the two or more files, therequest specifying the one file but not the category of the one file,identifying, by one or more processors, the category of the one filebased on the stored classification of the one file, and checking theaccess-control list to determine that the user is authorized to accessthe category, and, in response, granting, by the one or more processors,the user access to the one file.
 2. The method of claim 1, wherein thesame category comprises one of: product-line identifier, geographiclocation, and customer-account identifier.
 3. The method of claim 1,wherein the same category comprises one of: network type,server-platform type, and server operating status.
 4. The method ofclaim 1: wherein the configuration comprises: the processor storing theaccess-control list in an information repository, wherein theinformation repository comprises a security architecture, wherein thesecurity architecture controls access to a secured system, wherein thesecurity architecture comprises a category variable, and wherein thecategory variable comprises a set of category sub-variables; and whereinthe identifying comprises: requesting and receiving a set of usercredentials, wherein the set of user credentials is associated with theuser; communicating a first query to the information repository, whereinthe first query is a function of the set of user credentials; receivingan authorization code from the information repository in response to thefirst query, wherein the authorization code is a function of the usercredentials, and wherein the authorization code confirms that the useris an authenticated user of the secured system; communicating a secondquery to the information repository, wherein the second query is afunction of the authorization code; receiving the access-control listfrom the information repository in response to the second query, whereinthe receiving is a function of the authorization code; and retrievingthe category from the access-control list.
 5. The method of claim 4,wherein the same category comprises one of: product-line identifier,geographic location, and customer-account identifier.
 6. The method ofclaim 4, wherein the same category comprises one of: network type,server-platform type, and server operating status.
 7. The method ofclaim 4, wherein the information repository comprises one of: a datawarehouse, a database, and a file system.
 8. A computer program productfor controlling access to files, the computer program productcomprising: a computer-readable storage device; first programinstructions for receiving classifications of two or more files into asame category and storing the classifications of the two or more files,wherein the category comprises one of: product-line identifier,geographic location, customer-account identifier, network type,server-platform type, and server operating status; second programinstructions for receiving a configuration of an access-control list togrant access to one or more users to the two or more files based on thecategory; third program instructions for, in response to a request foraccess by a user for one file of the two or more files, the requestspecifying the one file but not the category of the one file,identifying, by one or more processors, the category of the one filebased on the stored classification of the one file, and checking theaccess-control list to determine that the user is authorized to accessthe category, and, in response, granting, by the one or more processors,the user access to the one file. wherein the first program instructions,the second program instructions, and the third program instructions arestored on the computer-readable storage device.
 9. The computer programproduct of claim 8, wherein the same category comprises one of:product-line identifier, geographic location, and customer-accountidentifier.
 10. The computer program product of claim 8, wherein thesame category comprises one of: network type, server-platform type, andserver operating status.
 11. A computer system for controlling access tofiles, the computer system comprising: a processor; a computer-readablememory; a computer-readable storage device; first program instructionsfor receiving classifications of two or more files into a same categoryand storing the classifications of the two or more files, wherein thecategory comprises one of: product-line identifier, geographic location,customer-account identifier, network type, server-platform type, andserver operating status; second program instructions for receiving aconfiguration of an access-control list to grant access to one or moreusers to the two or more files based on the category; third programinstructions for, in response to a request for access by a user for onefile of the two or more files, the request specifying the one file butnot the category of the one file, identifying, by one or moreprocessors, the category of the one file based on the storedclassification of the one file, and checking the access-control list todetermine that the user is authorized to access the category, and, inresponse, granting, by the one or more processors, the user access tothe one file. wherein the first program instructions, the second programinstructions, and the third program instructions are stored on thecomputer-readable storage device for execution by the processor via thecomputer-readable memory.
 12. The computer system of claim 11, whereinthe same category comprises one of: product-line identifier, geographiclocation, and customer-account identifier.
 13. The computer system ofclaim 11, wherein the same category comprises one of: network type,server-platform type, and server operating status.